SSL2BUY Wiki
News, Information and Resources about SSL Certificates
Comodo
AlphaSSL
RapidSSL
GeoTrust
Thawte
GlobalSign
DigiCert
Symantec
Authorized Reseller

Why I Should Sign My Code and Verify it Before Publishing?

This article briefs you required security measures for software developers and how to sign code before publishing a desktop, mobile applications and executable software.

A beginner should understand below technical terms to understand the code signing and publishing process.

  • Software: The program developed by an individual or company to be used on the computer and/or mobile devices.
  • Code: A professional combination of words, letters, questions, logic, numbers, etc. to design software with a purpose.
  • Developer: A company or an individual behind writing, designing and publishing a specific program or software.
  • Code Signing: A process to digitally sign the software with specific accredited certificates.
  • Code Signing Certificate: The signature file issued by an accredited Certificate Authority to an individual or company.
  • Time Stamping: A digital record to show when the software was signed any stamped prior software publishing process.
  • Smart Screening: A process to identify that the foreign application is safe, secure and legitimate or not.

code-signing-certificate

It is estimated that the global software development market size was $142.50 billion in 2021, which is forecasted at $1159.20 billion in the 2031 year.

Another study shows that 97K android apps were released in Google Play in October 2022 compared to 75.4K android apps were released in 2022.

android apps released

A developer or business invests big time and huge money in developing software with a monetization purpose or facilitate the services to their customers. In a similar domain, not all the applications get rocket fly downloads and installations. Some failed in user friendliness, others failed in competition – but most failed to gain users’ trust. Before introducing your Intel to customers, a business should make sure that their software is developed in a secure production platform and must be signed by an accredited authority.

The majority of digital production houses follow sigma standards while developing a mobile application or desktop software like secure CI/CD, use of legitimate programs, valid licensed application development platforms, certified developers, disinfected computers, etc. But most of them miss a very crucial part of making that software or application trustworthy.

Desktop and mobile users download average 10 applications per device every day and avoid installing 50% applications with suspicious reasons and 25% of them uninstall applications immediately after installation.

Here, we’ll focus discussion about the suspicious reasons considered by users which stop them installing applications or software on devices. Before publishing your mobile application or desktop software, you should think on how to make your publication trustworthy and legitimate for the targeted audience.

Nowadays, mobile and desktop operating systems like Microsoft, Apple, Android, Linux, etc. are more concerned to protect their users from tempered, infected and malicious software. They provide built-in application scanners to understand the purpose and trustworthiness of the software being installed by the user.

The smart screening process won’t let the user install malicious or suspicious software or may ask user’s consent (with a warning message) before installation begins. Smart screening process is controlled by an operating system (OS) and antivirus software also. We all might have seen a screen like below very frequently while installing printer drivers or backup applications or data recovery applications.

smart screening process

Our first step is to understand smart screening process and how to pass screening with full marks.

OS or antivirus software scan the foreign applications to get information like, Purpose of the Application, Publisher Information, Publishing Date, etc. Also the engine will match the app’s signature with an existing database of safe and harmful applications.

To add the publisher information in software publish version, a developer the Code Signing process.

What is a Code Signing and what do I need to complete this process?

Code Signing is a process to embed publisher information into software or application’s published version. The publisher information is a bunch of details like a person or business who is publishing this application, publishers’ physical location, contact details like email address or phone number. All these information should be verified by an accredited third party offered in a single digital piece.

To sign the application code you need,

  • A Code Signing Certificate issued by Globally Trusted Certificate Authority (aka CA).
  • Software or tool to embed this Code Signing Certificate in your application.
  • Valid time stamp server connection to add exact date & time of stamping in your digital publication.

Who provides highly trusted Code Sign Certificates?

Code Sign Certificates issued only by CAs like DigiCert, Comodo, Sectigo, and Entrust are widely trusted 100% operating systems and antivirus software. You should check the trustworthiness of a CA (out of the above list) before purchasing their signing certificates and solutions.

How many types of Code Signing Certificates provided by CA?

Code Signing Certificates are categorized based on,

Requestor type: Individual & Business or Organization

Verification of Requestor: Standard Individual verification, Basic Organization Verification, Extended Verification of Business

What is the cost of a Code Signing Certificates?

Code Sign certificates cost depends on the channel you choose to purchase it from like a direct vendor or an authorized distributor.

Here you can compare the pricing of an OV Code Sign and EV Cod Sign Certificates.

Product Name Type Direct Price Distributor Discount Price
DigiCert OV Code Signing Certificate OV $474.00/year $410.00/year Buy Now
DigiCert EV Code Sign Certificate EV $664.00/year $574.33/year Buy Now
Sectigo OV Code Signing Certificate OV $166.00/year $52.80/year Buy Now
Sectigo EV Code Signing Certificate EV $299.00/year $210.32/year Buy Now
Comodo OV Code Signing Certificate OV $166.00/year $52.80/year Buy Now
Comodo EV Code Signing Certificate EV $299.00/year $210.32/year Buy Now
Entrust Code Signing Certificate OV $299/year

Where do I buy trusted Code Signing Certificates?

Always choose a trustworthy CA and Distributor to source a Code Signing Certificate for your business. Some cheaper price advertisers may catch your attention, but it may cost very big financial or reputation loss for your business.

How do Code Signing process and Code Sign Certificates help us to get rocket like downloads?

A digitally signed executable software and mobile applications will automatically pass smart screening process followed by OS like windows, android, iOS, etc. The user will never experience an unsafe software warning and this helps to increase applications installs and downloads.

How to identify whether the software is signed or not?

Once you sign your code, the digital properties of the software will look like the below image. You can compare digital properties of a signed and an unsigned software or application in the below image.

signed unsigned software

What is the role of SSL2BUY in delivering trust for Software and their publishers?

Since 2010, SSL2BUY is an authorized and highly reputed distributor of well-known CAs like DigiCert, GlobalSign, Sectigo, RapidSSL, and Comodo. We’re an authorized international reseller of Code Signing Certificates and Website Security Certificates. We deliver trust with confidence to customers, the best pricing and 4.9/5 star rated customer service.

How the code signing process differs for Mobile and Desktop Applications?

Microsoft

To distribute an app on Windows Marketplace for Mobile, developers are required to sign every content update before apps are made available in the app store catalog.

Some examples of code-signed software are Windows applications, Windows software updates, Apple software, Microsoft Office VBA objects and macros, .jar, .air, and .airi files, and any type of executable file.

Process for Windows:

  • Signed using Visual Studio OR SignTool, which is part of the Windows SDK.
  • A valid code sign certificate issued by a Trusted/Reputed CA, and a PFX file.
  • A packaged Windows app, for example, an .appx file created by using the app package tool. (Such as MakeAppx.exe)

Apple

For IOS applications, code signing uses Xcode. To upload software to the iTunes store, the user must have a valid Apple Developer ID with a valid certificate or profile before Xcode will sign the software.

Unlike Android, you cannot install any app on an iOS device. It has to be signed by Apple first.

Pre-Requisite:

  • macOS
  • Apple Developer Membership
  • Xcode 9+

To integrate an application, the developer will need to use a development certificate. In order to run the app on any device, a distribution certificate must be used to send out the app and test it.

Third-party apps must also be validated and signed using an Apple-issued certificate.

Android

APK is the file extension for android mobile platform (Android Application Package).

What do we need for code signing?

  • Send the package to the distributor.
  • Create the Java Development Kit (JDK) file.
  • Sign our app bundle or APK with our private key.
  • Modify the build.Gradle

Applications can be signed by a third-party (OEM, operator, alternative market) or self-signed.

Android provides code signing using self-signed certificates that developers can generate without external assistance or permission. Applications do not have to be signed by a central authority. Android currently does not perform CA verification for application certificates.

In case of Android apps, the certificate does not need to be signed by a certificate authority.

How to Sign My Code?

Once you complete all the required verification and CA issues a Code Signing certificate, it will be sent through an email. The bundle sent by CA will have a .p12(PFX) file, which your need to save on your device. You will have to convert the file if it is not in PFX format. The process of singing code may differ according to the platform or machine you are executing.

How to Sign My Code with Microsoft Visual Basic for Applications (VBA)?

You can digitally sign content developed on Microsoft Office apps such as Word, Excel, and Visual Studio.

  • Open your project file.
  • Under the developer tab, you need to click on the code section
  • In the code section, find “visual basic.”
  • In Visual Basic Project Explorer, search for your project and select it
  • Next, find the Digital Signature in Tools Menu
  • Click on the Digital Signature and choose the certificate for signing the code.
  • Next, click OK twice, and the project will be code signed.

How to Sign My Code with Microsoft Authenticode?

Microsoft Authenticode uses encryptions from cryptographic algorithms to ensure that the integrity of the app’s code is intact. Here is how to code sign MS Authenticode,

  • Run the SDK command prompt to open Microsoft Digital Signing Wizard(You need the NET framework installed for this process)
  • Type signtool.exe signing wizard and hit enter
  • A new digital signature window will open
  • Click next to continue and browse your certificate file
  • Once you find the file, click next
  • On the next window, click on the “Typical” signing option
  • Now select the option to search for a certificate in the store
  • Select the certificate file located on your device by providing the location path
  • Click on next twice, and your code will be signed.

How to Sign My Code with Microsoft SignTool?

SignTool is a utility tool for developers and publishers for signing code and timestamping files. Fortunately, the modern Windows version comes with a pre-built SignTool. You can use PFX files to code your software on the SignTool through the command prompt.

For PFX file format, you can use the following command line,

signtool sign /f YourCert.pfx /p YourPassword /fd SHA256 YourFile.exe

The above command line works for both self-signed and CA-issued certificates. However, if you don’t have access to the PFX file, you can use the following command line,

signtool sign /n “YourCert_SubjectName /fd SHA256 /v YourFile.exe

Signing with an EV Code Signing Certificate

One of the most significant aspects of an EV code signing certificate is its private key which comes in physical mail stored in USB tokens. Once you receive the package,

  • Plug the USB token into the system
  • Open the middleware client like SafeNet on your system
  • Now open the command prompt and type the following command line,
/tr http://timestamp.CA.com/td sha256 /fd sha256 /a “Insert_path_to_my_file_to_sign_code”
  • You will be asked to enter a password that was set earlier
  • Once you enter the password, your app will be code signed.

How to Sign My Code in Android

Android obliges to sign all APKs with a digital certificate before it is installed on the device. Therefore, developers need to sign app bundle with an upload key. Therefore, it is necessary to sign your APK before distributing to play store or any other store. Below are a few steps to sign your code for Android.

how to sign my code in android

  • You should create an upload key with Android studio and Keystore.
  • After that, sign your app with your upload key. If you do not have signed Bundle, you need to build it
  • Now, you need to configure app signing that is not yet installed. To do this, create an upload key and sign your app with the upload key. Now, sign in to Play Console. After that roll out app release.
  • After you choose a release track, configure app signing under the App Integrity section as follows:
  • You should use your upload key for the first sign your app. You can use the same key as another app in your developer account. You just need to follow below options:
  • Choose Change app signing key
  • Use my own key
  • Use the same key as another app
  • Choose an app
  • Click Continue
  • Upload your app to Google Play
  • Prepare & roll out the release of your app

How to Sign My Code in iPhone

To sign your code in iPhone, you need to create the CSR- Certificate Signing Request. You need to follow below steps to create the CSR.

Open Keychain Access with Spotlight Search on Mac.

Access Menu>> Keychain Access>> Certificate Assistant>> Request a certificate.

open keychain access

You will have a certificate form that you need to fill and click on ‘Saved to disk’. Click ‘Continue’.

Certificate information

Click on ‘Show In Finder’ option. Click on ‘Done’.

Generate the Certificate

To create a certificate, you should have Apple Developer Program Membership. A development certificate is used for internal app development. While a distribution certificate is used for app’s release.

Follow below steps to create distribution certificate:

  1. Access Apple Developer Portal and sign in with User ID and password.

apple developer portal

  1. Choose ‘Certificate, IDs and Profiles’ option.

certificate, id Profile

  1. Click on ‘+’ button.

click + button

  1. Now, choose iOS Distribution option.

choose iOS Distribution option

  1. Click on Choose File and upload the CSR.

Upload the CSR

  1. Download generated iOS distribution certificate to local machine.

download generated iOS distribution

  1. Click the downloaded certificate to add it local device’ keychain.
  2. You can also export certificate from keychain and keep a certificate password.
  3. After certificate generation, a developer need to register App ID, which will make the app identifiable on App store. Below are steps to register App ID.

Register App ID:

Go to the Identifiers option in the left menu and click ‘+’ button.

identifiers option

Choose App ID option and click Continue.

choose app id

Enter the Description and Bundle ID of the app and click Continue.

description bundle id of app

Finally, Click on Register button.

register button

Now, you have successfully register App ID.

How to Sign My Code in Java

Here, we have given an example of signing EV Code Signing certificate in Java platform. You should have EV Code Signing certificate, configured SafeNet Authentication Client version and JDK (Java Development Kit).

First, connect EV Code Signing Token to the USB in your PC.

Open Notepad, create a text file and copy below lines and save it to JDK bin folder.

below lines and save it to JDK bin folder

Open Command Prompt and access JDK bin folder. Now, run below command that will create a alias name of a private key.

open command prompt and access JDK bin folder

Now, you will be asked for password so, keep a password that you created during token enrollment. Here private key alias is le-734f69fa-ba68-4e73-a7ca-027815a944c9.

keep a password that you created during token enrollment

After that, use below code to sign JAR file.

code to sign JAR file

Finally verify that the JAR file is properly configured, use below command.

jarsigner -verify -verbose <your JAR filename>

Conclusion

A Code Signing certificate is essential for the user’s trust and to ensure that your source code is intact. Furthermore, it allows you to ensure that your application is not exposed to cyber-attacks. Increasing cyberattacks and a massive app market mean you must be ready on the security front.

Here we have discussed different types of code-signing certificates and how to use them. However, which one to choose for the signing code will depend upon your project needs.

Content Category: Technical
Content Value: 7.5/10
Targeted Audience: Desktop and Mobile Application Developers & Users
Content Type: Training and Knowledge
Targeted User Age: 15 to 55 years

Related Articles: